Zepto Ransomware Packed into WSF Spam

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously.

We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:

Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that’s our biggest concern.

There are two captured screen shots from our analysis.

Expanding the MODIFIED FILES shows this result.

The files affected are renamed with a “.zepto” filename extension.

Given the screenshot and Modified Files artifacts, we can confidently say that this is a variant of the Zepto ransomware.

The WSF Script Behavior

Selecting C:\Windows\System32\WScript.exe (3388) shows results of the behaviors done by the WSF alone.

It shows that the script created two files and made an HTTP connection to mercumaya.net.

Let’s look at the two files in the Temp folder.

This is the binary view of UL43Fok40ii file

This is the UL43Fok40ii.exe file. A complete PE file format.

Having only a difference of 4 bytes in size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run by the WSF script with the argument: “321”.

Expanding the Network connections.

With the com.my suffix from the resolved host, the server seems to be located in Malaysia.

The HTTP header also indicates that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.

The WSF file executed by the WScript.exe simply downloaded then decrypted a Windows PE file then executed it.

The Downloaded Executable PE file

Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.

Posted some info to a server somewhere in Ukraine.

Accessed hundreds of files.

Executed the default browser (Chrome was set as the default browser)

Deleted a file using cmd.exe

Connected to shares

Dropped the ransom instructions (_HELP_instructions.html). For every folder where a file got encrypted for ransom, a copy of the _HELP_instructions.html is created.

Created 10 threads

The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.

TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:

This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a “.zepto” filename suffix.

In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.

Also some notable files that were created. The captured screenshot is the contents of the _HELP_instructions.bmp file.

This malware sample attempts to move its running executable to a file in the Temp folder.

With Chrome set as the default browser, the malware opens the file _HELP_instructions.html that it previously created in the Desktop. It also, deletes the malware copy from the Temp folder probably a part of it’s clean up phase.

Here’s what _HELP_instructions.html looks like when opened in a browser.

The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.

Prevent Ransomware

Syndicates behind today’s ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked by using Windows Scripting Files in hopes to pass through email gateways that don’t block WSF files in attachments.

To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure. And regularly back up all your critical data.

VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.